Dynamically provisioning middleboxes

Abstract

Hybrid security architecture (HSA) provides a platform for middlebox traversal in the network. The HSA decouples the middlebox control from network forwarding. More specifically, such embodiments may receive a data packet having a packet header including an Ethernet header identifying source and destination addresses in the network. A traffic type of the data packet is determined. Then, layer-2 forwarding information, which encodes a set of non-forwarding network service provider middleboxes in the network to be traversed by the data packet, is determined based on the traffic type. The layer-2 forwarding information is inserted into the Ethernet header and the data packet is forwarded into the network. The data packet will then traverse, according to the layer-2 forwarding information, a sequence of the middleboxes in the network, wherein at least one non-forwarding network service will be provided by each of the middleboxes to the data packet in a sequence.

Description

§1. BACKGROUND OF THE INVENTION[0001]§1.1 Field of the Invention[0002]The present invention concerns middlebox traversal in a network such as a data center network. More specifically, the present invention concerns dynamic provisioning of middleboxes.[0003]§1.2 Background Information[0004]Data Center Networks (DCNs) are used to host an increasing variety of applications and services, and are growing to tens of thousands of machines. Middleboxes are used to provide services such as traffic monitoring, traffic engineering, traffic policing, network and system security enforcements, etc., in DCNs. Together with the booming market of cloud computing, there is a need for high performance, highly scalable and dynamic middlebox provisioning. While recent advances in DCN architecture address many issues such as scalability, latency, etc., a truly dynamic yet network-forwarding independent middlebox traversal platform does not yet exist.[0005]Middlebox traversal is an important part of the D...

AI Technical Summary

Benefits of technology

The patent describes a method for dynamically provisioning middleboxes in a network. The method involves receiving a data packet with a payload and a packet header, determining the traffic type of the data packet, selecting layer-2 forwarding information that encodes a set of non-forwarding network service provider middleboxes in the network, inserting the layer-2 forwarding information into the Ethernet header of the data packet, and forwarding the data packet through the network using the layer-2 forwarding information. The non-forwarding network service provided by each middlebox in the sequence can include obtaining the MAC address of the next middlebox, updating the destination address in the Ethernet header to the next middlebox, removing the layer-2 forwarding information from the modified Ethernet header, and forwarding the data packet to the destination host. The technical effects of the patent include improved network security, efficient data transmission, and reduced network latency.

Problems solved by technology

The increasing variety in DCN designs and host applications, however, make correct, scalable, flexible and resource efficient middlebox traversal a challenge.

It may be a challenge to scale up the middlebox system to keep up with the growth.

Middleboxes at perimeters, or any small number of clusters, may experience a bottleneck as traffic converges at them.

The heavy reliance on custom configured network forwarding to provide middlebox traversal has serious drawbacks.

Routing and forwarding configuration alone is already complex.

Adding security may make the configuration even more error prone.

Clusters of hardware lack the flexibility to respond and have a natural bottleneck of network scalability.

Unfortunately, however, specialized switches are needed.

Middleboxes deployment may still be partially limited to clusters of deployments at locations that have P-switches deployed.

Unless wide-spread deployment of P-switches is realized, the full flexibility of deploying middleboxes anywhere in the network may not be achieved.

However, inter-VM traffic on the same machine may not be protected unless network forwarding tricks like VLAN separation is used.

The fact that specialized switches are required may also be undesirable.

For example, configuration and changes in routing, load balancing, traffic engineering in network forwarding typically causes reconfiguration of the middlebox traversal system, and vice versa.

However, a traditional centralized perimeter for security enforcement works against this design principle.

If the web service goes public and becomes well publicized, a sudden surge of traffic may demand additional firewall and DPI capacity.

Unfortunately, the churn in the traffic loads has to be responded by enormous over-provisioning for a highly unpredictable demand, given the nature of cloud paradigm.

Operational costs for human intervention are very expensive.

With the scale of data center that may exceed tens of thousand of servers, switches and middleboxes, daily equipment failures are typical.

Requiring manual operations to correctly and efficiently enforce middlebox traversal upon frequent and automated events may be either inefficient or impossible.

Images